#1 Global Leader in Data Resilience

"SSPI authentication failed for user"

KB ID: 4542
Product: Veeam Backup & Replication | 12 | 12.1 | 12.2 | 12.3
Published: 2024-01-26
Last Modified: 2024-11-13
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Challenge

When the Veeam Backup & Replication Configuration Database is using PostgreSQL, direct interaction with the database may fail with the error:

SSPI authentication failed for user

Interactions where this may occur include:

Cause

This error occurs when the account being used to perform the interaction is not authorized to access the Veeam Backup & Replication configuration database within the PostgreSQL instance.

When PostgreSQL is deployed by the Veeam Backup & Replication installer, that PostgreSQL database engine is configured to use SSPI Authentication, which allows for access authentication using Windows accounts.

By default, the following Windows accounts are added as authorized to access the database directly:

  • The Windows account that was used during the initial install.
  • The NT AUTHORITY\SYSTEM account, which is the default account used by the Veeam Backup & Replication services.
Hostname Change Impact
If Veeam Backup & Replication was deployed using a local administrator account, and the hostname was changed after the software was installed, the entry for that local account within the pg_ident.conf file will be invalid.

Solution

Option 1: Use an Existing Authorized Windows Account

Identify which accounts are currently authorized to access the Veeam Backup & Replication configuration database, and perform the action as that user.

  1. Open the following file in a text editor:
    C:\Program Files\PostgreSQL\15\data\pg_ident.conf
    
  2. At the bottom of the file, you will find at least two uncommented lines with a format similar to this example*:
    veeam   User@Domain   postgres
    
    *If the PostgreSQL instance was created by the Veeam Backup & Replication installer. If the PGSQL Instance was user-created, the mapname and pg-username may be different.
  3. Use the non-SYSTEM account to perform the action that initially failed with the SSPI error.
# Put your actual configuration here
# ----------------------------------
# MAPNAME SYSTEM-USERNAME PG-USERNAME
veeam Backupsvc@DOMAIN postgres
veeam "SYSTEM@NT AUTHORITY" postgres
Example pg_ident.conf File
Option 2: Add a Windows Account to The Authorized Users Lists
Security Considerations
For day-to-day tasks involving Veeam Backup & Replication, a user does not need direct access to the Configuration Database. Therefore, from a security standpoint, it may be best to only add accounts to the pg_ident.conf file when absolutely necessary. (Consider assigning a single account as the account that will be used for performing Veeam Backup & Replication updates or Configuration Restores.) 
Part 1: Identify Which Account Was in Use When the SSPI Error Occurred

These steps assume the SSPI error has recently occurred and is still in the latest log folder.

  1. Navigate to the PostgreSQL log folder.
    The default PostgreSQL 15 path: C:\Program Files\PostgreSQL\15\data\log
  2. Sort the folder contents by last modified, and open the latest log file.
  3. Scroll to the end of the log file and begin scrolling up. Look for entries like this:
    LOG:  no match in usermap "veeam" for user "postgres" authenticated as "pgadmin@VBR12"
    FATAL:  SSPI authentication failed for user "postgres"
    
  4. Take note of the account indicated in the error.
    (In the example above, the account pgadmin@VBR12 is listed at the very end of line 1.)
To prevent issues, use the username and its format exactly as found in the error message within the PostgreSQL logs. The user mapping error shows the username format precisely as PostgreSQL expects it to appear in the pg_ident.conf mapping file.
Part 2: Add the Windows account as it appears in the error to pg_ident.conf
  1. Open the mappings file in a text editor:
    C:\Program Files\PostgreSQL\15\data\pg_ident.conf
    
  2. Add a new line at the bottom of the file in the following format:
    Replacing pgadmin@VBR12 with the account you identified in your logs on Step 4.
    veeam   pgadmin@VBR12   postgres
    
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.